Annual Report Privacy Act April 1, 2016 – March 31, 2017

Chapter I - Report on the Privacy Act

1.0 Introduction

The Privacy Act protects the privacy of Canadian citizens and permanent residents against the unauthorized use and disclosure of personal information about themselves held by a government institution. It also provides individuals with a right of access to that information and the right to correct inaccurate personal information. In addition, the Privacy Act legislates how the government collects, stores, disposes, uses and discloses personal information.

Section 72 of the Privacy Act requires that the Head of every federal government institution submit an annual report to Parliament on the administration of this Act over the fiscal year. The Minister of Public Safety and Emergency Preparedness has delegated the administration of the Privacy Act, including the reporting of the Annual Report, to the Commissioner of the Correctional Service of Canada (CSC).

This report describes how CSC fulfilled its privacy responsibilities during the reporting period covering 2016-2017.

2.0 Organization

2.1 About Correctional Service of Canada

CSC was formed in 1979 through the amalgamation of the Canadian Penitentiary Service and the Parole Board of Canada (PBC). CSC has the fundamental obligation to contribute to public safety by actively encouraging and assisting offenders to become law-abiding citizens, while exercising reasonable, safe, secure and humane control.

It does this by operating under the rule of law, in particular the Correctional and Conditional Release Act (CCRA), which provides its legislative framework. The Commissioner of CSC has the authority, extending from the CCRA, to issue directives, procedures and guidelines to carry out the agency's operations.

CSC contributes to public safety by administering court-imposed sentences for offenders sentenced to two years or more. This involves managing institutions (penitentiaries) of various security levels and supervising offenders on different forms of conditional release, while assisting them in become law-abiding citizens. CSC also administers post-sentence supervision of offenders with Long Term Supervision Orders for up to 10 years.

CSC works closely with its Public Safety Portfolio partners, including the Royal Canadian Mounted Police (RCMP), PBC, the Canada Border Services Agency (CBSA), the Canadian Security Intelligence Service (CSIS), and three review bodies, including the Office of the Correctional Investigator (OCI).

2.2 The Access to Information and Privacy (ATIP) Division

The Access to Information and Privacy (ATIP) Division is part of the Policy Sector and reports to the Director General of Rights, Redress and Resolution. The Division is responsible for the overall administration of the Access to Information Act (ATIA) and the Privacy Act. In addition, each sector, region, institution, district, parole office and community correctional centre has an access to information and privacy liaison who assists the national ATIP Division in administering its overall responsibilities.

During the 2016-2017 fiscal year, the ATIP Division continued to improve and streamline its processes with the overall goal of increasing the efficiency of the office.

The ATIP Division is comprised of one Director, three Deputy Directors, five Team Leaders, one Senior Policy Advisor, a Policy and Training Unit and 27 Analysts who process requests for information under the ATIA and Privacy Act. There is also an Information Processing and Reporting Unit comprised of one Office Manager and a team of clerical support staff. The IPRU is responsible for processing incoming requests, generating routine correspondence, tasking the institutions in order to retrieve records for privacy requests, ensuring quality control, preparing final release packages for the mail, and providing general support to the ATIP office. There are four Privacy teams dedicated to the processing of requests made under the Privacy Act - each team is led by one Team Leader and comprises analysts ranging from the PM-02 to PM-04 levels. There are 19 Analysts in total. The teams are responsible for reviewing and analyzing documents, providing guidance, conducting consultations, processing complaints received about their files from the Office of the Privacy Commissioner (OIC), and providing guidance and support to program areas on the application of the Privacy Act. The Policy and Training Unit develops reports, policies, guidelines, tools and procedures to support ATIP requirements within CSC, oversees the Privacy Impact Assessment process, manages privacy breaches, processes complaints on the use and disclosure of personal information from the Office of the Privacy Commissioner (OPC) and acts as a complaints liaison for the ATIP Division, and provides training to CSC employees.

During the 2016-2017 fiscal year, there were 23 full-time equivalents (FTE), four casual employees, and one consultant whose time was devoted to Privacy Act activities. In addition, there were seven FTEs on extended leave.

2.3 Privacy Governance at CSC

The Privacy Committee was created in 2008, providing CSC with an opportunity to fulfill its commitment to ensuring that privacy is a core consideration in its responsibilities for managing the personal information of its employees, of offenders and members of the public.

The Privacy Committee is responsible for the following:

  • establishing processes and procedures to ensure that privacy principles are reflected in policy and program development;
  • examining the impact on CSC of privacy issues raised by research and by the privacy community, especially the OPC;
  • providing senior level review of privacy issues and challenges that arise at the operational level and rendering decisions where necessary; and
  • reviewing particular risk issues escalated for its consideration (e.g. serious privacy breaches) and monitoring the implementation of Treasury Board policies.

While the ATIP Division acts as the privacy policy focal point for CSC by guiding the development of privacy policies and guidelines, the Privacy Committee is the key mechanism to ensure that CSC's Privacy Management Framework is implemented in a collaborative way with full cooperation from sectors and regions. CSC's management framework represents its commitment to the protection of personal information, describes the processes in place to achieve sound privacy management practices, and establishes clear objectives and standards for the collection, accuracy, security, use, disclosure, transmission, access, retention and disposal of personal information at CSC.

2.4 Operational Challenges

CSC holds large amounts of personal information, and as a result the biggest challenges the ATIP Division continues to face are the volume of requests we receive under the Privacy Act, and trying to meet the legislated timelines. Examples include:

  • The ATIP Division continues to receive routine requests from offenders for their personal information held in the 10 identified Personal Information Banks. Since the requesters do not narrow the scope of their requests and do not identify what information may be a priority for them to receive, ATIP continues to struggle with meeting the legislated timeframes while dealing with broad requests for extensive amounts of information. This contributes to a backlog of Privacy Act requests.
  • ATIP has seen a trend in offenders submitting multiple requests. Since the Privacy Act does not have a section dealing with frivolous and vexatious requests, ATIP is obligated to process these requests.
  • The ATIP Division continues to receive a number of employee requests. Many of these requests relate to discipline, harassment cases, grievances and terminations. As CSC deals with the backlog of Public Service Labour Relations Board (PSLRB) hearings, ATIP is impacted since employees who are appearing before the PSLRB typically submit requests in preparation for their hearings.
  • The ATIP Division continues to receive large amounts of requests under sections 8(2)(e) and 8(2)(f) of the Privacy Act from the RCMP, Offices of the Attorney General, Canada Revenue Agency and police services. These requests are usually time sensitive, and therefore must be processed on an urgent basis.
  • The ATIP Division vets disciplinary, harassment and fact-finding investigations for CSC. These tend to be time sensitive and generally have a two-week turnaround time.
  • In addition to the increased number of complex requests, the ATIP Division resources were used to support Department of Justice (DOJ) on a number of ongoing litigation cases
  • Retention of qualified ATIP professionals continues to be a challenge as more staff retire and leave for other opportunities.

3.0 Highlights & Accomplishments

3.1 Improved Efficiencies

During the 2016-2017 fiscal year, CSC ATIP identified and implemented practices in an effort to make things more efficient. These include:

  • Building the ATIP Division's Human Resources component. During this past fiscal year, a number of staffing actions, deployments and appointments were launched in an effort to build ATIP's staff complement. The resulting actions included the appointments of a new Deputy Director, ATIP analysts and clerical support (CR-04 to PM-04 levels). An external competition for a PM-05 Team Leader is currently underway and is expected to be staffed in 2017-2018.
  • The implementation of a new process as a result of the Correctional Investigator's "In the Dark" Report, to provide as much information as possible to family members of deceased offenders and to ensure follow up with a designated point of contact that can meet to discuss the specifics in a compassionate manner.
  • Regional sites, including institutions, continuing to scan documents to the ATIP Division through a secure drive which has resulted in records being provided for processing in a more timely fashion while at the same time contributing to a paperless environment.
  • The use of encryption of emails allowing for the more timely exchange of Protected B information with government partners, in particular the OPC and OIC.
  • The refinement of the complaint management process so that the ATIP Division can work closely with the OPC to respond to formal complaints and queries using a single point of contact. New written procedures were developed and a Complaints Coordinator has been named to monitor the standard complaints email account.
  • The Information Processing and Reporting Unit (formerly the Intake Unit) continuing to be the central hub for the ATIP divisional intake process, providing ongoing support to the ATIP Division. One of their key activities is to clear and inventory the ATIP division's file room to ensure that the Division is only keeping information required for retention.

3.2 Backlog

During the last fiscal year, CSC continued to make it a priority to address the backlog. As a result of the volume of requests coming in and in an effort to prevent additional files from going late, the ATIP Division now has one dedicated team to address these files, while the remaining teams can focus on current requests.

3.3 Litigation Projects

During this fiscal year, CSC ATIP worked with the DOJ on a number of Litigation projects that resulted in the review and retrieval of documents to assist with the collection and indexing of documents in relation to ongoing court cases. A number of the ATIP Division's resources were diverted from operational duties to respond quickly to these particular requests.

3.4 Development of Exemption Rationales

As a result of staff feedback, the ATIP Division is currently developing a set of rationales that will assist in the application and consistency of exemptions applied concerning various subjects. This document will be used by staff as a central resource for ATIP information, specifically in complaint responses.

3.5 Policies, Guidelines, and Procedures

Over the past year, the Policy and Training Unit has continued to update internal guidelines and procedures as required, including the drafting of a Memorandum of Understanding for provincial Crowns as part of a new process in response to Dangerous Offender Hearing requests. CSC's ATIP Division has also:

  • improved reporting of Privacy Act requests through weekly reports to senior management;
  • refined functions in the AccessPro Case Management system to include early resolution complaints; and
  • the development of service standards which were provided to the ATIP community for privacy consultation requests sent to CSC.

3.6 Training & Awareness

The Policy and Training Unit plays a fundamental role in developing and delivering training to employees at National Headquarters (NHQ), Regional Headquarters and at the institutional level across Canada, as well as the ATIP staff, on ATIP related matters.

During this reporting period, the ATIP Division continued delivering ATIP Awareness training to the sectors and the regions in order to ensure CSC employees have an understanding of ATIP and the importance of their role in the process. One of the main components of training is to inform staff of the Privacy Breach Guidelines and how to report and to prevent breaches from occurring.

The format of the training uses question and answer sessions - an approach designed to focus on the employee's role in order to assist them in responding to requests and fulfilling their obligations.

Regional ATIP Liaisons delivered training sessions within their regions.

Employees were trained from various areas of CSC, including:

  • Health Services
  • Technical Services and Facilities
  • ATIP Liaisons
  • Strategic Policy
  • Assistant Wardens and Deputy Wardens
  • Security Intelligence Officers

A total of 13 training sessions were delivered this reporting period - 185 employees received ATIP training at NHQ and in the regions.

The Policy and Training Unit continues to offer training to Regional ATIP Liaisons and provide advice and answer questions and concerns regarding training, policy and guidelines, interpretations of the acts through its GEN-NHQ Policy and Training email account.

3.7 ATIP Website - Internal and External

CSC's ATIP Division continued to work with the e-Communications colleagues on the Intranet Renewal Project. The new site will educate the wider CSC community on privacy related issues, including ATIP legislation, policies and procedures, directives, privacy breach prevention and reporting, Privacy Impact Assessment (PIA) procedures, and a list of ATIP Tips and Bulletins.

CSC's external website is user-friendly and includes dedicated pages for instructions on submitting access and privacy requests and how to make a request for correction of personal information, the duty to assist, an up-to-date list of the PIAs, and frequently asked questions. To view the ATIP Division's Internet site, please visit:

3.8 Info Source

CSC is responsible for providing comprehensive, accurate and up-to-date descriptions of its functions, programs, activities and Personal Information Banks (PIBs) that describe the collection, use, disclosure and retention of personal information in Info Source. CSC updates its PIBs on an annual basis to ensure that they are aligned with the appropriate Class of Records.

CSC's Info Source chapter can be found on its external website:

3.9 Ongoing Activities and Monitoring Compliance

Throughout the 2016-2017 fiscal year officials of the ATIP Division supported the administration of the Privacy Act through many of its other activities, including:

  • Providing privacy advice to various program areas regarding new initiatives, for example:
    • Victim Services (Portal)
    • Community Reintegration
    • Health Services (Offender Health Information System)
    • Community Engagement
    • Human Resources Management
    • Information Management (document collection technology)
    • Informatics and Technology
    • Learning and Development
    • CORCAN
    • Finance
    • Citizenship and Engagement
    • Corporate Services
    • Women Offender (Child Link Videoconference)
    • Senior Deputy Commissioner
  • Reviewing CSC's forms to ensure they contain the required privacy statements.
  • Participating as a member of GCconnex - the Forum serves as a direct link to the ATIP community where members discuss issues including PIAs, policy developments and training initiatives.
  • Attending networking functions with other ATIP colleagues such as the ATIP Community meetings presided by the Treasury Board Secretariat (TBS), as well as their workshops.
  • Maintaining a relationship with the OPC. CSC has ongoing meetings and discussions with the OPC in order to address any ongoing issues stemming from complaints in order to come to a timely resolution.
  • Assisting program areas with the completion of PIAs Checklists for new initiatives and projects, and reviewing them in order to determine if a full PIA is required.
  • Assisting with the drafting of PIAs, Information Sharing Agreements, Privacy Notices and Memoranda of Understanding for new initiatives.
  • Providing advice to CSC employees on privacy matters, including how to report on and prevent breaches of personal information and ensure that corrective measures are implemented and responding to general ATIP questions from our colleagues in the sectors and regions.
  • Serving as the Secretariat for CSC's Privacy Committee chaired by the Assistant Commissioner of the Policy Sector.
  • Compliance reports continue to be generated and reviewed by Senior Management on a weekly basis, including briefings by the ATIP Director, to ensure that Privacy Act requests are being processed by legislative due dates.
  • An access to information component remains in the Performance agreements for Senior Management which requires them to sign off on all transmittal notices and checklists in an effort to ensure accuracy and thoroughness of all access to information retrievals.
  • The restructuration of the ATIP Division's workflow to better organize and decrease the processing time for requests.
  • Actively monitoring the intake and processing of files on a weekly basis as well as regularly reassessing priorities and redistributing workloads.

4.0 Privacy Impact Assessments

There were two PIAs completed during the 2016-2017 reporting period. At the end of the reporting period, there were three ongoing PIAs which are expected to be completed during the next reporting period.

5.0 Privacy Breaches

CSC is among the top 10 federal departments that collect and handle the largest amount of personal information. Over the 2016-2017 reporting period, the ATIP Division processed 181 privacy breaches. It should be noted that most of the privacy breaches are low risk.

CSC takes breaches of personal information seriously and continues to educate staff on the protection of personal information as follows:

  • An ongoing component of our training includes a comprehensive section on privacy breaches.
  • Staff is continuously reminded of their obligations to safeguard and protect personal information and adopt privacy sensitive approaches in the workplace.
  • The ATIP Division continues to work with all liaisons on how to report on privacy breaches, implement corrective measures and prevent further privacy breaches, in order to cultivate a culture of awareness regarding the importance of safeguarding personal information.
  • The ATIP Division continues to monitor the daily situation reports of security incidents for breaches of personal information in order to ensure all breaches have been reported in accordance with the Breach Guidelines.

6.0 Delegation of Authority

An updated Delegation Order for the Privacy Act was signed by the Minister of Public Safety and Emergency Preparedness.

The responsibilities associated with the administration of the Privacy Act, such as notifying applicants of extensions and transferring requests to other institutions, are delegated to the departmental ATIP Coordinator through a delegation instrument signed by the Minister of Public Safety and Emergency Preparedness. The approval of exemptions remains with the Director, the Deputy Directors as well as the Team Leaders. Delegation for public interest releases, as well as research and statistics, rests with the Commissioner, the Senior Deputy Commissioner and the Assistant Commissioner of the Policy Sector.

A detailed delegation instrument can be viewed in Appendix A.

Chapter II - Privacy Act Statistical Report and Supplementary Reporting Requirements for 2016-2017

7.0 Statistical Report

See Appendix B for CSC's Statistical Report on the Privacy Act.

8.0 Interpretation of the 2016-2017 Statistical Report

8.1 Requests Received under the Privacy Act

In 2016-2017, CSC received 6,861 Privacy Act requests. A total of 7,784 requests were carried over from the previous reporting year, totaling 14,645 requests requiring processing in 2016-2017. Please refer to Appendix B for the Statistical Report.


This graph shows that in the 2014-2015 reporting period, there were 12,489 formal requests that required processing. In 2015-2016, there were 14,414 requests and in 2016-2017 there were 14,645 requests.

8.2 Disposition of Requests

Of the 4,326 requests completed during the 2016-2017 reporting period, 672 requests were full disclosures; 2,019 were partial disclosure; 14 were withheld in their entirety; 776 were unable to process resulting from no records existing; 838 were abandoned by the applicant and seven were neither confirmed nor denied. In total, 599,106 pages were processed.


This graph shows that in the 2016-2017 reporting period, 672 requests were fully disclosed; 2,019 were partially disclosed; 14 were withheld in their entirety; 776 were unable to be processed; 838 were abandoned; and seven were neither confirmed nor denied.

8.3 Exemptions

A breakdown of the exemptions applied during this reporting period is as follows:

Exemption Description Number of Times Applied
Obtained in Confidence 752
Federal-Provincial Affairs 0
International Affairs and Defence 1
Law Enforcement & Investigation 1,125
Security Clearances 0
Individuals Sentenced for an Offence 127
Safety of the Individuals 7
Information about another individual 2,093
Solicitor-Client Privilege 25
Medical Record 0
Information to be published 0
Library/Museum Material 0

8.4 Completion Time

During the reporting period, CSC completed 742 requests in less than 30 days; 956 between 31 and 60 days; 593 requests between 61 to 120 days; and 2,035 were completed in over 121 days.

8.5 Informal Requests

During the reporting period CSC received 450 informal requests. A total of 399 requests were carried over from the previous reporting year, totaling 849 informal requests requiring processing in 2016-2017. These include:

  • releasing information through informal means where possible;
  • reviewing investigation reports, including fact-finding, harassment, disciplinary, and Board of Investigation reports; and
  • reviewing requests from employees concerning their personnel files.

A total of 335 informal requests were closed during 2016-2017.

8.6 Method of Access

Where information was available for release, copies were provided in 2,691 cases which included paper copies, electronic, CDs and examination.

8.7 Corrections and Notations

No requests for correction of personal information were received last fiscal year.

8.8 Consultations from Other Institutions and Organizations

The ATIP Division's workload involves responding to consultations in response to formal requests received by other institutions and organizations CSC works closely with its partners under the Public Safety portfolio such a CBSA, RCMP, CSIS, PBC and the OCI, in order to respond to consultations in a timely fashion.

During the 2016-2017 reporting period, the ATIP Division received a total of 32 consultations from other institutions and organizations.

The following chart provides the type and number of consultations received over the 2016-2017 reporting year:

Type of Consultation Number of Consultations Received in 2016-2017
Other government institutions 27
Other organizations 5
Total 32

9.0 Supplementary Reporting Requirements

9.1 Complaints and Investigations

Applicants have the right of complaint to the OPC pursuant to the Privacy Act and may exercise this right at any time during the processing of their request. At the end of this reporting period, CSC received a total of 344 complaints and 188 findings were issued. There is an increase in the number of complaints received this fiscal year (241 complaints were received in 2015-2016).

The majority of the privacy complaints received during this reporting period concern denial of access, use and disclosure, and delay/time limit complaints. CSC processed 4,326 requests and received 344 complaints representing eight percent of the requests processed by CSC.

The following chart provides a breakdown of the complaints made to the OPC:

Type of Complaint Received Finding Active
Access 28 23 33
Delay/Time Limits 279 140 173
Collection 10 2 35
Use and Disclosure 10 7 17
Retention and Disposal 0 0 0
Correction/Notation 1 0 1
Exemptions 2 2 1
Extension 5 7 1
Language 9 7 6
Total 344 188 267

* Please note that some findings and active complaints have been carried over from previous years.

Some key issues raised and subsequent actions taken as a result of the privacy complaints CSC received and the OPC's investigations and recommendations during this reporting period are:

  1. Timeliness of our responses to requests has remained an issue; however, as the backlog is reduced, it is expected that this will be resolved.
  2. Some complaints arise out of privacy breaches. The ATIP Division continues to place an emphasis on training our Regional ATIP Liaisons so that they in turn can train regional employees on the protection of personal information. CSC ATIP reports all medium and high level breaches to the OPC, and continues to address any follow-up questions in a timely manner.
  3. Over the past year, the OPC has provided the ATIP Division with a number of recommendations concerning the management of privacy within CSC institutions. Subsequently, the basic handling procedures of personal information have been discussed with management at the institutions and new procedures have been implemented to ensure the proper handling of personal information.
  4. CSC has ongoing meetings and discussions with the OPC in order to address any ongoing issues stemming from complaints in order to come to a timely resolution.

9.2 Disclosure of Personal Information Pursuant to 8(2)

Subsection 8(2) of the Privacy Act states that "personal information under the control of a government institution may be disclosed" under certain specific circumstances without the consent of the individual.

The mandate of CSC requires that it routinely shares personal information with other areas of the Criminal Justice Community and Law Enforcement Agencies (which includes municipal, provincial, international, federal police forces or other law enforcement bodies) to ensure the offenders are appropriately managed in a safe, secure and humane environment and to ensure the safety of the offender, other offenders, staff and the community at large.

The following is a statistical breakdown of disclosures pursuant to 8(2) of the Privacy Act:

Paragraph Description Requests Received
8(2)(b) Personal information may be disclosed "in accordance with any Act of Parliament or any regulation…that authorizes its disclosure." 1
8(2)(c) Personal information may be disclosed to comply "with a subpoena or warrant issued or order made by a court, a person or body with jurisdiction to compel the production of information" or to comply "with rules of court relating to the production of information." 28
8(2)(d) Personal information may be disclosed "to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada." 20
8(2)(e) Personal information may be disclosed "to an investigative body […] for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation…" 93
8(2)(f) Personal information may be disclosed "under an agreement or arrangement between the Government of Canada […] and the government of a province [or territory] […] for the purpose of administering or enforcing any law or carrying out a lawful investigation." 301
8(2)(l) Personal information may be disclosed "to any government institution for the purpose of locating an individual in order to collect a debt owing […] by that individual or make a payment owing to that individual…" 8
8(2)(m) Personal information may be disclosed when "…it is in the public interest or (when) disclosure would clearly benefit the individual to whom the information relates."
Note: These arise out of Access to Information requests from family members seeking information to understand the circumstances surrounding the death of their relative while incarcerated.
Note: The Privacy Commissioner was notified prior to disclosure in all cases.

9.3 Federal Court

There were no federal court cases filed against CSC in this reporting period.

9.4 Resources

The ATIP Division expended a total of $2,346,263 - $2,244,611 in salary costs, $7,296.00 in professional services contracts, and $82,315 in overtime costs. There was $12,041 in operating costs.

Appendix A – Privacy Act Delegation


Appendix B - Statistical Report